Enable Branch Protection GET API Without Admin

Hi,

Would it be feasible to open the 

GET branch/protection/required_status_checks 

API to authenticated users who are not an owner of a given repository? I am attemping to integrate autmatic pull request merging within our enterprise server, but that would currently require giving a service account ownership privelages which is a potential security concern.

Thanks

1 Like

Hey @benjaminwinokur 

Can you clarify? 
What account would this automation use?

How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation - 

Interestingly, giving non-owners information about branch protection should also be a security concern.

Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time… :slight_smile:

If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping… which may ease your security concerns … some informative links below

https://developer.github.com/apps/about-apps/#determining-which-integration-to-build
https://developer.github.com/apps/differences-between-apps/
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

Happy to chat in more detail and maybe figure something out …

The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a “branch must be up to date” requirement. This means that if I have multiple PR’s for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response. 

I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible. 

I may have to look into using an OAuth / GitHub application to accomplish this task.

1 Like

hey @benjaminwinokur 

That makes more sense :) 

I guess you could look at auto-merge for those repositories that don’t have the “branch must be up to date” rule enforced; ¯_(ツ)_/¯.

I’m not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch 

I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits… 

The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source - which is not super useful :) 

Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome… 

@i-marsh 

1 Like